lua-resty-auto-ssl icon indicating copy to clipboard operation
lua-resty-auto-ssl copied to clipboard

Published 20 hours ago verified publisher icon auto-ssl

combine certificates for multiple domains into one

Open luto opened this issue 8 years ago • 3 comments

Let's Encrypt imposes (quite reasonable) rate limits on the issuance of new certificates. Currently we request one certificate for each domain. This means that images.autossl.org and secure.autossl.org both get their own certificate. The number of certificates which can be issued like this is 25 per week - effectively limiting us to 25 subdomains.

The official way of dealing with this is combining the subdomains (up to 100) into one certificate. Dehydrated has support for this via a domains.txt-file. To implement this here, I'd suggest grouping domains by their main domain name (according to the public suffix list. Each group would get one domains.txt and config-file (with DOMAINS_TXT set). Dehydrated is then called with --config instead of --domain.

Combing the certificates gives us 100 subdomains instead of 25. If that is still too low, we could repeat this process for 25 subdomain-groups, giving us 2500 subdomains for each domain.

luto avatar Dec 12 '16 00:12 luto

@luto: Sorry for the delay. But yeah, this is a great idea, it's just not something I've personally hit the need for yet. I'll try to look into implementing it at some point, but would also welcome any pull requests.

And just to clarify, lua-resty-auto-ssl should work for more than 25 subdomains on a single domain, just as long as they're registered more gradually (since the limit is on initial registrations per week per domain, but this doesn't affect renewals). As their rate limit page notes:

Note that the Renewal Exemption also means you can gradually increase the number of certificates available to your subdomains. You can issue 20 certificates in week 1, 20 more certificates in week 2, and so on, while not interfering with renewals of existing certificates.

But if you're trying to bulk register a bunch of subdomains right off the bat, I can definitely see running into this limit, so the domains.txt approach would be a nice improvement.

GUI avatar Jan 04 '17 03:01 GUI

Like I've also stated in the pull-request: This should be made optional.

The code seems to loop over all keys. We have over 20.000 in our setup. That's not a good idea and won't scale.

Apart from that: The one setting this up should be able to choose whether or not other subdomains are leaked through a generic certificate or not. Our customers will not always appreciate all of their subdomaisn being presented in one SAN.

Eihrister avatar Apr 11 '17 16:04 Eihrister

Currently I am working on a solution to this, because we are facing this problem. I have made the 'bundles' (as I like to call them) optional by defining them as following:

auto_ssl:set("bundles", {
    ["example.com"] = { "sub1", "sub2" }
})

I'm testing it at the moment, will update you guys when I am done

gjongenelen avatar Feb 06 '19 10:02 gjongenelen